Tutorial: Force Mode

Contents

Description

This tutorial details the use of the Force mode of the Anteater, which enables the user to produce packet based plugin controlled flow release. Hence, any plugin can invoke an internal signal to release a specific flow at any time. An easy way to simulate L2-7 content based flow release which immediately produces a flow when a certain packet of interest is detected. The following plugins implement the force mode:

basicStats (if 64 bit count registers overrun)

dnsDecode (if arrays which hold names overrun)

radiusDecode (when a access accept or reject is received)

Preparation

In order to do so, we need to prepare T2. If you did not complete the tutorials before, just follow the procedure described below.

First, restore T2 into a pristine state by removing all unnecessary or older plugins from the plugin folder ~/.tranalyzer/plugins and compile only basicFlow, basicStats, tcpStates and txtSink.

To enable the force mode edit tranalyzer.h and set FORCE_MODE 1 as shown above or use t2conf as schown below, then rebuild all loaded plugins. Several plugins can trigger an alarm concurrently, as we do not know what kind of plugin armada you might develop in future.

$ t2conf tranalyzer2 -D FORCE_MODE=1
$ t2build -R
...
$

Now the force mode is activated in the core and all plugins which implement it.

Plugin Force Register and Control

open basicStats.c in an editor, move to the bl_claimInfo function and search for the FORCE_MODE pragmas. If numTBytes or numTPkts are about to be overrun by the next packet the current flow is terminated and a new flow begins. The macro T2_RM_FLOW{flowP} does all that for you, so you could now add the force mode to other plugins to your liking in a heartbeat.

If you are interested to add the force mode to your own plugin please refer to the plugin force mode tutorial. Now let’s see how it works by changing the threshold of numTPkts down to 1023. Just copy the original line for easier change back.

So numPktsSnt does not exceed 1023 as requested. Please, DO NOT forget to switch back to the original condition for the next tutorial, by removing our changes to basicStats.c and uncommenting the original line.

dnsDecode terminates flows when arrays which hold DNS names, so it acts on DNS_QRECMAX or DNS_ARECMAX:

At the 4.th line of the report, T2 informs about the [FORCE] mode. At the end we learn that eight flows matched the force criterias and were release early. Select the as above these flows as above these flows